No More Free Bugs: ~10 Years Later
It’s been several years since the “No More Free Bugs” movement started to gain traction, but now it seems as almost everyone has some form of bug bounty for researchers. This presentation will go over the motivations of certain researchers to stop giving away their work for free and demand satisfaction (well, as close to satisfaction as one can get).
How Many Million BIOSes Would You Like to Infect?
So you think you’re doing OPSEC right, right? You’re going to crazy
lengths to protect yourself, reinstalling your main OS every month, or
using a privacy-conscious live OS like Tails. Guess what? BIOS malware
doesn’t care! BIOS malware doesn’t give a shit!"
Though long thought to be impractical, this talk will dispel the illusion
that sophisticated BIOS level malware is exclusively within the realm of
possibility for nation state actors. Recent disclosures of firmware
level vulnerabilities have given us reliable entry vectors into the
firmware on almost all systems we have surveyed. Furthermore, the well
defined nature and modularity of UEFI significantly lower the bar for
coherently implanting a firmware rootkit onto a system. This talk will
detail the result of our 1 month effort to infect the BIOS of every
business class system we could get our hands on.
Picking Fights with Toddlers: Embedded Device & IoT Exploitation
There is a latent distrust of the growing "Internet Of Things" market. The data collected by them is becoming more personal all while proliferation of internet connected devices is continuing without regard to privacy or security. Recent news stories has consumers concerned not only with privacy but also surveillance and data handling. There is no trusted third-party "consumer advocacy" for privacy and security of mobile apps and embedded systems. The designs of these systems make traditional software based security (like "anti-virus" or "end-point detection") virtually impossible. And if you don't think this is going to be a huge problem: Recent research demonstrates that a significant number of the nodes used in CURRENT DDoS attacks are actually compromised embedded devices NOT user end-points....So, the shift has already begun.The "internet of things" is not just newfangled consumer devices however. I'll talk a bit about this and a recurring trend we see in these network enabled embedded systems: something we call the "uncanny valley" that gives rise no only to vulnerabilities but also huge tools gaps for software and hardware security research.
This talk will catalog some of our experiences at Xipiter exploiting these kinds of embedded systems. From trivial "exploitation" to the more advanced hardware exploitation and binary exploitation techniques. We'll talk about how we've applied these techniques to everything from Payment systems and Game Consoles to more esoteric devices like Gaming systems (lottery, casino, etc) and Industrial Controls Systems. We'll also talk about about the custom hardware we've developed (and sell to researchers at http://int3.cc) to help us with this stuff also demonstrates the "tools gap".